A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Conventional techniques for detecting network attacks use pattern matching. In particular, an intrusion detection system (IDS) device applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDS may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDS selects the appropriate patterns to apply in order to detect a network attack, which is used herein to include viruses or other malicious activity.
Conventionally, many IDSs associate applications with a static port assignment and use these static port assignments to determine the type of application and protocol associated with a given data stream. Likewise, conventionally a single application operates at the application layer, or layer seven (L7), of the Open Systems Interconnection (OSI) networking model. However, certain software applications now employ dynamic or randomized port assignments rather than conforming to the static port assignments; for example, hacker toolkits may use dynamic port assignments in order to evade detection and containment. Moreover, certain L7 software applications, such as Kazaa™ and Yahoo!® Messenger, utilize other L7 protocols, such as the HyperText Transfer Protocol (HTTP), as transport applications; that is, multiple software applications may concurrently operate within L7 as a “stack” of software applications.